- Cold Case Chronicles
- Crime Lab
- Crime Scene
- Digital Forensic Insider
- Digital Forensics
- Evidence Collection
- Forensic Anthropology
- Forensic Pathology: Expert Witness
- Impression Evidence
- Medical Examiner
- Mobile Forensics
- Most Wanted
- The DNA Collection
- Who Says
From minor crimes to major cases, law enforcement is faced with the proper handling and analysis of these devices.
You see them everywhere, cellular phones and handheld devices (smart phone, BlackBerry, iPhone, etc.). They are a part of our world’s culture. Dr. Thomas P.M. Barnett, author of Great Powers: America and the World After Bush, remarked in a recent radio interview, “…cell phones are selling like crazy in rural India…farmers are buying them before they put a toilet in their house…” Additionally, recent news reports indicate that, statistically, 90% of all Americans own a cellular phone. Having this kind of societal importance and wide distribution, it is not surprising that cellular phones and handheld devices are being widely used in even the most minor criminal activity. These devices can provide significant evidence in major cases. This article will discuss considerations for law enforcement in the handling and analysis of these devices.
Not so long ago, a cellular phone had a rudimentary call history, phone book, and messaging system containing both text and voice messages. Now these handheld devices can be as complex as small computers. Even the least complex model can contain sophisticated multimedia messaging, Internet access, integrated global positioning system (GPS) functions, data connectivity, etc. These functions can provide a wealth of information to law enforcement.
Cellular phones operate on radio frequency (RF) protocols. When a cellular phone is turned on, it searches for the strongest signal, usually from the nearest cellular tower, or the one having the best line of sight. As the device is transported, it will continue searching and adjusting to utilize the tower with the strongest signal. The designation of the most recently connected tower is recorded as a database entry in the cellular phone file system. Moving to a new area will cause this entry to be updated. With an active connection to the system, service providers can utilize low call volume periods to update phone connection (roaming) and file system software. These updates can have an impact on the stored data on a device.
Some individuals use a pass code lock to secure their phone. When the phone is turned off, or loses battery power, the lock will be in place when the phone is powered on again. This situation can frustrate the examination of the phone. While this is a concern, instances of locked phones are a low percentage of handheld devices examined. In some of these incidents, the pass code can be obtained through examination software.
On or Off?
Like all forms of evidence, handheld devices require certain precautions to preserve their value for an investigation. During the collection of cellular phones, there has been a debate on how to best preserve their data. This debate centers on whether to turn the phone off or leave it on at collection. It is recommended to power the phone off to preserve data and battery power. If for some reason this is not possible, then the phone needs to be protected from cell tower signals. There are packaging products created for signal protection, such as the Stronghold Bag™(Paraben Corporation), or an unlined quart-sized paint can, also known as an arson can. However, leaving a cellular phone powered on in a signal blocking container increases the device’s active search for a cellular network. This increased activity will cause battery failure at a quicker than normal pace. If protective packaging is utilized, then a method of powering the device should be considered, or the examiner should be alerted so that an immediate examination can be conducted.
When the phone is turned off, it can be packaged in a paper evidence bag and sealed with evidence tape. To simplify the forensic examination, handheld devices should be packaged separately from other evidence and, when possible, their charging cords/adapters should be packaged with them. If a pass code is known for the phone by the arresting officer or investigator, it should be written on a piece of paper and packaged with the phone.
Like computer evidence, it is necessary to have proper legal authority to conduct a forensic examination of cellular phones and handheld devices. There is, however, an exception supported by case law (U.S. v. Finley C.A.5 Tex., 2007, & U.S. v. Carroll N.D. Ga., 2008) which allows a search “incident to arrest.” Search incident to arrest is commonly associated with searches of arrestees, and motor vehicles (U. S. v. Robinson 414 U.S. 218, 220 , New York v. Belton 453 U.S. 454 , & Thornton v. U. S. 541 U.S. 615 ). These searches are allowed by the court to be conducted for officer safety and the preservation of evidence that can be easily destroyed. It should be noted that this exception for handheld devices is tightly controlled by a limited duration of time, and “lawfully may be searched without a warrant only if the search is ‘substantially contemporaneous’ with the arrest” (U.S. v. Curry D. Me., 2008).
A search incident to arrest of a handheld device is typically conducted by using the collected device’s keyboard/keypad and menu options to navigate to and record the observed information, either by written or photographic/video documentation. Cellular phone and handheld device tool development has allowed for the immediate download using a mobile lab, typically consisting of a laptop computer with the appropriate forensic and cellular phone acquisition software. Devices such as the CSI Stick™ (Paraben Corporation), which supports nearly 350 cellular phones, can be an efficient solution for use in acquisition and documentation of cellular phone data while other arrest activities are being conducted.
For post-arrest and/or forensic searches, examination, and analysis, proper authorization for the search must be obtained. Best practices recommend that this authorization consists of a Search Warrant, or a formalized Consent to Search.We have found in practice that, due to an individual’s dependence on their cellular phone, consent is routinely granted by subjects under investigation and victims will almost always grant consent for the preservation of evidence from their cellular phone.
Protecting Evidentiary Data
In April 2007, the Scientific Working Group on Digital Evidence (SWGDE) released a document that listed a hierarchy of retrieval methods for the preservation and examination of cellular phone evidence. Essentially, this document suggested processing the evidence using a tiered approach, in the following order:
- forensic cellular/handheld device software
- consumer (open source and/or manufacturer’s) backup software
- menu navigation and photographic/video documentation -menu navigation and transcription of information viewed
- transfer via e-mail or messaging of data to a downloadable device
Frequently a combination of these tiers will be necessary to obtain the most complete data preservation, and to validate the results of an examination.
Once a handheld device has been collected, turned off, packaged, and placed in evidence storage, caution must be used to prevent change to the evidence when the examination is conducted.
When a cellular phone has been powered off, short message service (SMS) text messages and other data queue for delivery when the phone is returned to service. These queued messages and data can overwrite old and deleted messages and data when they are delivered. Service providers will update system files and roaming services when the phone is connected to the system. There is a possibility for corruption of downloaded data as well as the device’s file system, during an examination when the system updates are transmitted to the phone. These events can also cause the loss of evidentiary data.
To prevent this contamination and loss of evidentiary data, it is recommended that RF signal isolation or Faraday shielding be used in the lab for handheld device examinations. There are numerous methods for isolating RF signals in a lab environment which include the use of RF test enclosures (Ramsey Electronics), RF shielding fabrics/wall paper (Axonics International Marketing), as well as signal blocking tents and rooms (RA Mayes Company). RF jamming devices are available, but may be illegal or have other unintended consequences when used, and are not recommended.When choosing a shielding product, it is important to select one that will enable examiners to use the tools necessary for the examination, within the shielded area. An example of this would be the ability to use a camera to document the evidence found using the menu navigation process within the shielded area.
It is crucial to understand that there are a number of obstacles which may be encountered while conducting examinations of handheld devices. The most rudimentary devices may have a limited storage capacity. This can create situations where evidence can easily be lost or overlooked. In some devices, there may only be space for twenty stored call history entries, with a FIFO scheme. FIFO is the acronym for “first in first out.” This creates a situation where the first entry is replaced once the available storage space has been filled. In our example, the moment we receive entry twenty- one, our first entry will be deleted and the new entry (twenty first) is added to our storage space. If we have a phone that has been in storage for several days/weeks/months, and we power it on in an unprotected state, it will connect to the service provider’s network and begin adding queued data that was not available when the device was powered off. This will result in the loss of potentially valuable evidence, by overwriting older and/or deleted entries.
There are two primary networks for cellular phone communication: the Global System for Mobile (GSM) and Code Division Multiple Access (CDMA). They are generally easy to recognize at the device level. AGSM phone will have a subscriber identity module (SIM) card, and a CDMA device will not. SIM cards can and should be examined independently from cellular phones. GSM phones however, cannot be examined fully without their associated SIM card. A note of caution is important; if a SIM card is paired with a phone that it has not previously been associated with, it can delete or overwrite the stored data, which is the target of the investigation on that device.
While there are two distinct cellular phone networks, there are numerous device and service providers offering their own unique devices, file systems, and services. There are literally tens of thousands of different cellular phone models currently in use segmented across multiple providers, with new models being added to the market daily. This represents an enormous challenge for the examiner. The popular Motorola RAZR cellular phone, for example, has at least eleven unique hardware models, having a variety of firmware versions. The Motorola RAZR is offered for both GSM and CDMA networks. There are some bright spots, however. Value added services, such as games and other device applications, have caused the migration toward uniformity in device file systems—for instance, the Binary Runtime Environment for Wireless (BREW) created by Equal. Prior to a BREW application being offered for sale to service providers, it must be registered with Qualcomm. This has created a situation where applications offered by service providers have started to become standardized, with BREW components being added to the providers’ unique device file systems.An excellent example of this can be found in Multimedia Messaging Services (MMS) where image and video data is incorporated in text messages. This MMS data can be vital to investigations such as the prosecution of assaults by and against juveniles involving high school “fight club” cases.
There are essentially three different acquisitions available for handheld devices; logical, physical, and data dump (also known as a hex dump). It is possible with each of these acquisitions to recover deleted data. Some phone data is stored in a database format.When entries to those databases are deleted, the record is flagged as available for new file data. In a logical acquisition, if the deleted entry has not been overwritten, then it may be recoverable. With physical and data dump acquisitions, more data can be recovered but it generally requires more time and knowledge from the examiner.
Due to the volume of different handheld device models, firmware releases, service providers, etc., the examination of cellular phones can be a challenging process. The examination of cellular phones and handheld devices is, however, beneficial for law enforcement, in the collection and preservation of valuable evidence.
Resources for more information on cellular phone technology and case law:
- Mobile basics http://www.mobilein.com/mobile_basics.htm (retrieved 3/29/2009)
- The iPhone Meets the Fourth Amendment http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503 (retrieved 3/29/2009)
- Cell site communication http://www.privateline.com/mt_cellbasics/ (retrieved 3/29/2009)
- RF Isolation http://mobileforensics.files.wordpress.com/2007/03/rfisolation.pdf (retrieved 4/4/2009)
- Mobile Device Forensics, Richard Ayers, CFTTNIST, http://www.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf (retrieved 4/5/2009)
- http://csrc.nist.gov/publications/nistir/nistir-7387.pdf (retrieved 4/5/2009)
- Guidelines on Cell Phone Forensics,Wayne Jansen, CFTTNIST, http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf (retrieved 4/5/2009)
Don L. Lewis is a Forensic Computer Analyst with the Lakewood, CO Police Department. Don began his Law Enforcement career in 1979 as a Crime Scene Photographer, and Photo Lab Technician. Don has been with the Lakewood PD for 20 years, the last six in computer forensics. Don provides consultation to individuals in law enforcement on the local and national level, trains personnel in conventional and digital imaging, analysis techniques, and procedures. Don is the former Vice Chairman for the Scientific Working Group for Digital Evidence (SWGDE).